PSD2 RTS – How not to kill conversion

Monday 29 May 2017 | 08:46 AM
CET

Ralf Ohlhausen, PPRO Group: The price of getting Regulatory Technical Standards (RTS) wrong is very high and so are the rewards in getting it right

Whilst the latest draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Secure Communication (SC) by the European Banking Authority (EBA) was a good step forward from the previous one, it still has two major flaws: 1) the ill-advised restrictions for permitted direct access (screen scraping) and 2) the insufficient provision for Transaction Risk Analysis (TRA) based SCA exemptions. The former had much press already and has now been tackled by numerous fintechs, but I would like to stress that correcting the latter is equally important.

Apparently, TRA was added to the latest draft RTS to enable the continuation of the very popular “liability shift” allowing online merchants to avoid the 3D-Secure (3DS) conversion killer, i.e. getting the card issuing bank to skip SCA in return for taking the liability off their shoulders. Unfortunately, as it stands, TRA falls short of achieving this goal.

Firstly, not merchants, but only their PSPs can request such an SCA exemption – and only if their fraud ratio is below a certain threshold. There are several flaws in here already: a) card schemes would have to change their contracts and processes, b) TRA would not depend on a particular merchant and their risk mitigation capabilities, but instead on a meaningless “risk average” across all the merchants of a given acquiring PSP, c) the risk ratio levels are rather arbitrary and d) they can’t even be calculated properly, because it is not defined what shall count as a fraudulent transaction. To avoid the huge mess of low/mid/high-risk merchants reshuffling to low/mid/high-risk PSPs according to doubtful and hard-to-audit ratios, it would be much better to allow the tried and tested existing “liability shift” rules rather than reinventing this wheel and making it square.

Secondly, the RTS grants the issuing bank the discretion to accept such a TRA-based SCA exemption request or not. Based on their existing scheme contracts, they are likely to do that for card-based transactions, but how could they be sure to offload their liability for credit transfer initiations? There are no schemes, bilateral contracts don’t exist, are not foreseen and are impractical anyway. So rather than giving a big boost to credit transfers and leveraging the many advantages of such push payments, they would get burdened with much less scope for SCA exemptions. In the absence of bilateral agreements, the only way around this is to solidify the liability shift provisions in the RTS.

Finally, TRA should be given a much larger scope anyway. Given the inevitable drive towards more customer convenience, e.g. invisible payments à la Uber, it is foreseeable that traditional customer authentication methods, e.g. passwords, will be replaced by context and behaviour-based risk management enabled by new technology and artificial intelligence. So while the rest of the world is moving from 1-Click to 0-Click payments, we shouldn’t go the opposite direction. Instead, we must allow merchants to use such new developments in making the life of their customers easier, by accepting the liability, but still keeping their risk low.

The EBA is quite close in creating a worldwide, best-in-class regulation – just two improvements to go. Dear EBA: please talk to the recent industry initiatives driving the Direct Access and TRA discussions to define the best way forward. The price of getting this wrong is very high and so are the rewards in getting it right. If we can achieve the latter, the rest of the world will watch in envy and we stand a good chance in sustaining the EU-lead of the fintech industry – and not losing out to less regulated parts of the world.

About Ralf Ohlhausen

Ralf Ohlhausen, Business Development Director, MSc in Mathematics and Master of Telecommunications Business, has over 25 years’ experience in ecommerce, financial services, mobile telecoms and IT. Before joining PPRO Group, he was President Europe at SafetyPay. Other management positions on his international career path took him to Digicel, O2, British Telecom and Mannesmann-Kienzle.

At PPRO, Ralf is responsible for expanding the company’s portfolio and global reach, as well as developing new business areas and partnerships. Since the end of 2016 Ralf Ohlhausen is a member of the Euro Retail Payments Board (ERPB) of the European Central Bank (ECB) representing the interests of the Electronic Money Association (EMA).

About PPRO Group

PPRO Group (PPRO), a cross-border e-payment specialist, removes the complexity of international ecommerce payments by acquiring, collecting and processing an extensive range of alternative payments methods for Payment Service Providers (PSPs) under one contract, through one platform and one single integration. PPRO supports international payment methods across more than 100 countries, allowing PSPs to expand their merchants’ ecommerce reach, arrange hassle-free collection and achieve higher conversion rates.